-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
treat empty NetworkPolicyPort as "all ports on TCP" during parsing #14720
Conversation
Commit d7bd86fe0b03a390feec04bbf1ab44e2a908b045 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
d7bd86f
to
06f12e9
Compare
👋 wanted to put this up for preliminary feedback even though it's failing some tests! I think I'm running into this at pkg/policy/api/rule_validation.go:388:
What's the best way to handle that? Making this change:
gets the tests to pass, but not sure if that would have other bad downstream consequences? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jrajahalme do you mind taking a look. The port number is optional in a k8s network policy so we it can be 0. To me the proposed fixed by @mattfenwick makes sense.
Removing the zero test seems ok, my only concern is that L7 policies can only be applied if a port number has been specified. Would be good to add a test case with a port with default values and make sure it is rejected. Policy could be like this:
To be on the safe side this should be rejected by rule validation, maybe like this:
|
Marking as "draft" while feedback is addressed. If you would like clarification on the feedback, feel free to respond and ping the person who provided the feedback 🙂 When you would like additional review, scroll to the bottom of the page and click the "Ready for review" button. |
Thanks for the reminder! 😄 |
06f12e9
to
3b3599d
Compare
thanks for the tip @jrajahalme ! I pushed an update to add an L7, but there's still something not quite right and one of the tests in the pkg/policy/api package is now failing. I think the problem is I'm not separating the code paths for validation for L3/L4 from L7, can you take a look? |
The change I proposed above was a bit too brittle, as it would allow port values such as
|
@mattfenwick Sorry for the churn, I was kind of hoping I could have sent the latter comment above before you do any additional work on this! Anyway, there is a new diff w.r.t to your PR before the changes I suggested a bit earlier. |
Fixes cilium#14678 Signed-off-by: Matt Fenwick <mfenwick100@gmail.com>
e1c5ccd
to
bc5f867
Compare
np 😄 applied the diff and updated! |
test-me-please |
The runtime tests all failed, which looks like a flake: https://jenkins.cilium.io/job/Cilium-PR-Runtime-4.9/4480/ I'll re-trigger the tests. |
retest-runtime |
test-runtime |
test-1.21-4.9 (previous failure https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.9/271/) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks so much for the fix :)
Merging as we have approval and CI is all green. |
Fixes: #14678
Test plan